Amazons Alexa Could be Tricked into Spying on Users

Amazon's Alexa Could be Tricked into Spying on Users

Researchers at Checkmarx were able to build an Alexa skill which could be used to spy on users within earshot. Amazon has now closed the loophole.

Security researchers say they have found a way to make Amazon's Alexa listen in on its users indefinitely, and provide a transcript of everything said in front of the device.

Researchers at cybersecurity firm Checkmarx were able to create an Alexa skill - an applications for the voice-activated assistant - that was able to eavesdrop on users. They created what appeared to be a simple calculator skill for solving math problems but it was actually designed to send transcripts of anything said within earshot of the device back to its creators.

The Alexa service is designed to be fully awake and listening when the user requests the device to list. The active cycle is supposed to be relatively short, with Alexa informing the user when an open session is closed and it is going back to sleep. Researchers decided to examine if the way Alexa listens like this could be exploited.

Once Alexa has performed a task, the code makes a "Should End Session" query, in order to determine if the session remains open or closed after Alexa reads back text, potentially allowing Alexa to stay active for another session. In order to stay active for another session, Alexa sends the user a vocal prompt, informing them that it is still active.

However, researchers found that Alexa's API accepts an empty reprompt code, allowing the vocal prompt to be silent. That means that while Alexa believes it has told the user that the device is still listening, the user is unaware that this is the case.

The blue light on the Echo could give away that the device is still active, but it's possible that users won't notice, or simply won't be looking at the device.

“Echo users need to recognize that 'Alexa Skills' are third-party applications. Just like with any other computing device, users need to be cautious about what applications (or skills) they load and who is providing them. Poorly designed or blatantly malicious applications can lead to degraded user experience as well as privacy or security exposures," security researcher for Tripwire's Vulnerability and Exposure Research Team, Craig Young said. “I would not necessarily call this a security loophole on the part of Amazon. The bottom line here is that for this ‘hack’ to work, a user must load and activate the malicious skill and then ignore the fact that Echo’s blue light remains on.”

Checkmarx disclosed its findings to Amazon, which told the media that it has acted to ensure that skills can no longer be exploited in this way.

"Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do," a spokesperson said.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • Report: 47 Percent of Security Service Providers Are Not Yet Using AI or Automation Tools

    Trackforce, a provider of security workforce management platforms, today announced the launch of its 2025 Physical Security Operations Benchmark Report, an industry-first study that benchmarks both private security service providers and corporate security teams side by side. Based on a survey of over 300 security professionals across the globe, the report provides a comprehensive look at the state of physical security operations. Read Now

    • Guard Services
  • Identity Governance at the Crossroads of Complexity and Scale

    Modern enterprises are grappling with an increasing number of identities, both human and machine, across an ever-growing number of systems. They must also deal with increased operational demands, including faster onboarding, more scalable models, and tighter security enforcement. Navigating these ever-growing challenges with speed and accuracy requires a new approach to identity governance that is built for the future enterprise. Read Now

  • Eagle Eye Networks Launches AI Camera Gun Detection

    Eagle Eye Networks, a provider of cloud video surveillance, recently introduced Eagle Eye Gun Detection, a new layer of protection for schools and businesses that works with existing security cameras and infrastructure. Eagle Eye Networks is the first to build gun detection into its platform. Read Now

  • Report: AI is Supercharging Old-School Cybercriminal Tactics

    AI isn’t just transforming how we work. It’s reshaping how cybercriminals attack, with threat actors exploiting AI to mass produce malicious code loaders, steal browser credentials and accelerate cloud attacks, according to a new report from Elastic. Read Now

  • Pragmatism, Productivity, and the Push for Accountability in 2025-2026

    Every year, the security industry debates whether artificial intelligence is a disruption, an enabler, or a distraction. By 2025, that conversation matured, where AI became a working dimension in physical identity and access management (PIAM) programs. Observations from 2025 highlight this turning point in AI’s role in access control and define how security leaders are being distinguished based on how they apply it. Read Now

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.